Endpoint Protection

I have done some reading but I still have some doubt on this. So, I would like to get some clarification from someone if possible.

I intend to host a SEP Manager on my office, then configure other SEP Client at other branches to report to the SEP Manager in my office. The branches is connected through VPN. I would need to put some control on the ports for this. I read and seems like I just need to open port 8014 for communication between client and manager? Does I need to open other port? Is port 8014 used for patch uploading from manager to client as well?  SEP documentation mentioned we have to open the ephemeral ports (1024-65535) but I think it does not makes sense as the ports needed it too much and it invites risk.

My ultimate goal is to enable the communication between the client and manager which will be going through a firewall filtering. Is port 8014 only sufficient? Is it 2 way communication or just 1 way if I need to open the firewall port?

Thanks.

The Symantec Endpoint Protection Manager (SEPM) use two web servers: Internet Information Services (IIS) and Tomcat. IIS uses port 8014  - Tomcat uses port 9090 and 8443. The communication between IIS and Tomcat uses the HTTP protocol. IIS uses port 9090 to talk to Tomcat, Tomcat uses port 80 to talk to IIS.

Client-Server Communication:
For IIS SEP uses HTTP between the clients and the server. For the client server communication it uses port  8014 .

Remote Console:
9090 is used by the remote console to download .jar files and display the help pages.
8443 is used by the remote console to communicate with SEPM and the Replication Partners to replicate data.

Considering your scenario...

Just open 8014  in  the firewall .Clients will connect to this port for communication.
SEPM  is listening on port 8014 and waiting for connection.

You dont need to open ports (1024-65535) in the SEPM system.The concept is simple..When a client connects to a Webserver at some port [i.e 80 or 8014 ] it needs to open a random port in the local system  to establish the communication ...that's how TCP/IP sockets work.

Simple example...
When you connect to google.com at port 80 You need to open a random port (i.e. 3355 )in the your machine aswell so that the webserver should also be communicate with you right ? That happens in the background but that's why random ports are used.

To see it..Just open some websites ..go to command prompt and type netstat -nao 

Go through this chart....IT clearly states that for client-server [SEPM] communication you need to open 8014

Port Number Port Type Initiated by Listening Process Description 80, 8014 TCP SEP Clients svchost.exe (IIS) Communication between the SEPM manager and SEP clients and Enforcers. (8014 in MR3 and later builds, 80 in older). 443 TCP SEP Clients svchost.exe (IIS) Optional secured HTTPS communication between a SEPM manager and SEP clients and Enforcers. 1433 TCP SEPM manager sqlservr.exe Communication between a SEPM manager and a Microsoft SQL Database Server if they reside on separate computers. 1812 UDP Enforcer w3wp.exe RADIUS communication between a SEPM manager and Enforcers for authenticating unique ID information with the Enforcer. 2638 TCP SEPM manager dbsrv9.exe Communication between the Embedded Database and the SEPM manager. 8443 TCP Remote Java or web console SemSvc.exe HTTPS communication between a remote management console and the SEPM manager. All login information and administrative communication takes place using this secure port. 9090 TCP Remote web console SemSvc.exe Initial HTTP communication between a remote management console and the SEPM manager (to display the login screen only). 8005 TCP SEPM manager SemSvc.exe The SEPM manager listens on the Tomcat default port. 39999 UDP Enforcer Communication between the SEP Clients and the Enforcer. This is used to authenticate Clients by the Enforcer. 2967 TCP SEP Clients Smc.exe The Group Update Provider (GUP) proxy functionality of SEP client listens on this port.

source: http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/edda0cd89141a6788025734e004b6a02?OpenDocument

For the commuication to happen between manager and client you just to open port 8014, everything gonna happend with this port

its a one way communication, the communication is always initiated by the client on Port 8014..

( the client initiates the communication by reading sylink.xml file , smc.exe is the process which is responsible)

let me know if you have any more questions...

Every body is right here when they say that we need to open port 8014 for Commuincation between SEPM and the Client.( This  is the case when SEPM is installed on the Custom website.) If SEPM is installed on the Default website it uses port 80.

In orther words what we need to do is open that port , On which SEPM is installed in IIS it may be 8014 or 80 or any other port that you configure. There is no hard and fast rule that clients will only commuincate on 8014. They commuincate on any port that is open and free , not used by any other application.

I have a question about port 8014, which may also be creating a problem...maybe.
Our Firewall device, Watchguard Firebox, shows clients being denied trying to communcate with the server using port 8014.
I setup a policy allowing this traffic to pass through port 8014 but I'm still seeing the denials.

My question(s) are;
If traffic gets denied through port 8014 what are the results I'm going to see?
Where can I go to see if traffic through port 8014 ISN'T getting through?

I looked at the client / server activity logs and I see the two talking to each other, the clients look like their getting updates.

Brad

In your case , the first thing we need to check that in IIS which port his being used by symantec?

Secondly on the Client yellow sheild to you see a green dot , if yes it means that the client is commuincating